Go Back   getDare Truth or Dare > Special > getDare.com

Reply
 
Thread Tools Display Modes
Old 11-10-2016, 08:09 PM   #1
Locked Puppy
getDare Devil
 
Locked Puppy's Avatar
 
Join Date: Jun 2013
Location: in a cage (Leipzig, Saxony, Germany)
Posts: 1,298
Blog Entries: 11
Bomb SSL/TLS via httpS?

Hello getDare

I love this site! I use it on my phone even. And with all the free WiFi in the cities I would just love to use it while logged into a public WiFi-AccesPoint. But I don't.

Why? Because the traffic between my phone and the site-server is not encrypted. Anyone logged into the same access point could read my traffic, my username, if I need to log in even my password, when checking my profile options .. anything really.
I know, because I sometimes am one of those people lurking in free WiFis just to see what people are doing.

Eventually I will use a VPN to my home, encrypting all my traffic either way. Still though, I would love to see getdare use https. And not just as an option, but always default to it.

I currently can't afford to send any money to cover any costs concerning this because my business is just getting started and I am very very low on money - scraping by really. But since setting up webservers with encryption is part of what I do I would even offer myself to do it with and for you (always supervised via Desktop sharing).

With letsencrypt.org it is easily possible to have cost free SSL-Certificates, which renew automatically as well. Implementing this would need root shell access to the server though - which is why I would only feel comfortable doing this while sharing my desktop.

If you have a sys-admin who can do this for you, please tell him about this. If you don't I offer my services free of charge!

Should you be using a webhoster where you don't have root access, and they do want money for it, I think some users of getdare would be happy to finance a campaign to visit this site on a more secure way.

Just think about all the average non tech savvy users using the same passwords over and over again. Let their traffic get snooped et voila, they become a spam donor. Believe me: it is incredible what flies around unencrypted in a Starbucks or MacDonalds!

So.. feel free to contact me. Also maybe others would like to chime in as well.

Thank you very much for your attention!

Just ask, and I'll put it in for you

EDIT: and I just saw the suggestion zone. Maybe move it there, mods?

2nd EDIT: just imagine the shared networks in dorms and different people living together
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet
Unofficial getDare Minecraft-Server


likes - limits - toys -- pm dares

Randomly Locked in Chastity
(locked or not: no orgasms for this pup)

kik: LockedPuppy

Last edited by Locked Puppy; 11-11-2016 at 10:59 AM. Reason: possibly posted in the wrong thread
Locked Puppy is offline   Reply With Quote
The following 6 users say Thank You to Locked Puppy for this post:
Old 11-13-2016, 04:45 AM   #2
redambergreen
Member
 
redambergreen's Avatar
 
Join Date: Sep 2011
Location: Europe
Posts: 89
Blog Entries: 4
Default

I've had a look into this and while it's not as bad as it first seems, it's still pretty bad.

The passwords are being hashed locally using MD5 (unsalted):

Code:
onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)"
After this the hash is sent to the server in plaintext:

Code:
Frame 28641: 880 bytes on wire (7040 bits), 880 bytes captured (7040 bits) on interface 0
Ethernet II, Src: AsrockIn_ea:c1:44 (00:34:22:ef:e0:31), Dst: SamsungE_16:36:81 (21:fb:6b:18:16:77)
Internet Protocol Version 4, Src: 192.168.192.37, Dst: 104.25.185.9
Transmission Control Protocol, Src Port: 58448, Dst Port: 80, Seq: 1, Ack: 1, Len: 826
Hypertext Transfer Protocol
    POST /bbs/login.php?do=login HTTP/1.1\r\n
    Host: www.getdare.com\r\n
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Accept-Language: en-GB,en;q=0.5\r\n
    Accept-Encoding: gzip, deflate\r\n
    Referer: http://www.getdare.com/bbs/\r\n
    DNT: 1\r\n
    Connection: keep-alive\r\n
    Upgrade-Insecure-Requests: 1\r\n
    Content-Type: application/x-www-form-urlencoded\r\n
    Content-Length: 194\r\n
    \r\n
    [Full request URI: http://www.getdare.com/bbs/login.php?do=login]
    [HTTP request 1/1]
    [Response in frame: 28655]
    File Data: 194 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "vb_login_username" = "redambergreen"
    Form item: "vb_login_password" = ""
    Form item: "s" = ""
    Form item: "securitytoken" = "guest"
    Form item: "do" = "login"
    Form item: "vb_login_md5password" = "7a495904a8c0b3e6aabe27440b436c28"
    Form item: "vb_login_md5password_utf" = "7a495904a8c0b3e6aabe27440b436c28"
(No, that's not my real hash).

This is very easily attacked by capturing the packet (as I just did), and using something like Fiddler to manipulate the POST payload upon logon with the username and hash of someone else on your local network.
__________________
32/male
My ad: https://www.getdare.com/bbs/showthread.php?t=365319
redambergreen is offline   Reply With Quote
Old 11-13-2016, 04:49 AM   #3
Zoeys fun time
Account Banned
 
Join Date: Mar 2016
Location: United states, Florida
Posts: 309
Blog Entries: 20
Default

Well in my opinion *Insert smart sounding techno Babble here*

Love,
Zoey
__________________
21/F
KIK *NEW*

Likes: pee dares, light pain,Hidden public, creative dares


Dislikes: Self Bondage, edgeing

Limits: pictures, family/freinds, Serious pain, Perminant/Body Altering, Scat

I DO HAVE THE RIGHT TO SAY "FUCK THAT I AINT DOING IT" TO ANY DARE


BDSM TEST

PM Dares
My Toys
My Human Sex Map

Im looking for new things to try so i can soon expand my likes
Zoeys fun time is offline   Reply With Quote
Old 11-13-2016, 05:32 AM   #4
Locked Puppy
getDare Devil
 
Locked Puppy's Avatar
 
Join Date: Jun 2013
Location: in a cage (Leipzig, Saxony, Germany)
Posts: 1,298
Blog Entries: 11
Default

Quote:
Originally Posted by redambergreen View Post
I've had a look into this and while it's not as bad as it first seems, it's still pretty bad.

The passwords are being hashed locally using MD5 (unsalted)

This is real bad if the servers ever get "hacked".. hmm
also: "salting" MD5 is still not secure. MD5 is obsolete since.. when was the youngest member of this site born?

I am no coder, so I have no idea what it would need to rework the password-scheme.
But if it were to be reeimplemented, I'd suggest to never roll your own "encryption/hash-function". Use what is established and gets updated.
PHP Code:
password_hash(); 
----------------------------------
Quote:
Originally Posted by redambergreen View Post
This is very easily attacked by capturing the packet (as I just did), and using something like Fiddler to manipulate the POST payload upon logon with the username and hash of someone else on your local network.
Despite the way passwords are stored on the server. This is exactly my point!
Room-mates could be neferious enough. The hole college student apartment uses the same network?.. yeah, nobody is studying IT there and wants to test what they have learned.
Or people like me.. on a public WiFi.. -- if there is one, there are many who do this

My offer about helping to implement SSL/TLS free of charge still stands!
My sites get an A+ rating on https://www.ssllabs.com/ssltest/ using a cost free certificate that automatically renews itself → https://letsencrypt.org/

Encrypt all the things!!

==============

Quote:
Originally Posted by Zoeys fun time View Post
Well in my opinion *Insert smart sounding techno Babble here*

Love,
Zoey
That should do it!
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet
Unofficial getDare Minecraft-Server


likes - limits - toys -- pm dares

Randomly Locked in Chastity
(locked or not: no orgasms for this pup)

kik: LockedPuppy
Locked Puppy is offline   Reply With Quote
The following user says Thank You to Locked Puppy for this post:
Old 11-17-2016, 06:25 PM   #5
Locked Puppy
getDare Devil
 
Locked Puppy's Avatar
 
Join Date: Jun 2013
Location: in a cage (Leipzig, Saxony, Germany)
Posts: 1,298
Blog Entries: 11
Default

I did some quick digging.

I do not know which hosting plan is being used by getdare on cloudflare, but even the free option now includes SSL/TLS.
Maybe an admin can just "flick the switch" one day?

That's my 50 cents on this for now. Rachie? If you read this, any insight? Maybe get Depp back for this?
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet
Unofficial getDare Minecraft-Server


likes - limits - toys -- pm dares

Randomly Locked in Chastity
(locked or not: no orgasms for this pup)

kik: LockedPuppy
Locked Puppy is offline   Reply With Quote
Old 11-29-2016, 11:35 AM   #6
Locked Puppy
getDare Devil
 
Locked Puppy's Avatar
 
Join Date: Jun 2013
Location: in a cage (Leipzig, Saxony, Germany)
Posts: 1,298
Blog Entries: 11
Default

Just a new FYI:
Firefox will soon implement warnings into forms when the site does not offer encryption!

https://ma.ttias.be/firefox-nightly-...p-as-insecure/

Again: my offer still stands!
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet
Unofficial getDare Minecraft-Server


likes - limits - toys -- pm dares

Randomly Locked in Chastity
(locked or not: no orgasms for this pup)

kik: LockedPuppy
Locked Puppy is offline   Reply With Quote
Old 01-06-2017, 08:02 AM   #7
Locked Puppy
getDare Devil
 
Locked Puppy's Avatar
 
Join Date: Jun 2013
Location: in a cage (Leipzig, Saxony, Germany)
Posts: 1,298
Blog Entries: 11
Default

Just wanted to bring this up again. My offer still stands, of implementing SSL/TLS functionality cost free (see above) I really, really, REALLY want this site to encrypt its traffic.
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet
Unofficial getDare Minecraft-Server


likes - limits - toys -- pm dares

Randomly Locked in Chastity
(locked or not: no orgasms for this pup)

kik: LockedPuppy
Locked Puppy is offline   Reply With Quote
Old 01-06-2017, 11:16 AM   #8
Bluetooth
getDare Succubus
 
Bluetooth's Avatar
 
Join Date: May 2015
Location: UK
Posts: 1,541
Blog Entries: 6
Default

This is a great offer and whether or not they take you up on it I hope they sort this soon. It's ridiculous to have a website like this not on https.

FWIW, vBulletin doesn't just store your password in md5 but its approach is known to be obviously weak. Eg. https://www.troyhunt.com/data-breach...etin-and-weak/

This forum is at least on 3.8.7, but given the footer says 2013 who knows when it was last patched or if it's even still supported by vBulletin.
__________________
20s/m/switchy ABDL - Kik: bluetoothy

Likes/dislikes/limits | toys and supplies! | BDSM test results
Bluetooth is offline   Reply With Quote
Old 01-06-2017, 12:19 PM   #9
ancipiter
Junior Member
 
ancipiter's Avatar
 
Join Date: Dec 2013
Posts: 7
Default

I suspect the ad system (Juicy Ads? maybe some others too) will need reconfiguring somewhere to use https (or all the ads will disappear, which isn't a good outcome for GD as a whole) — this should be done now, or at least ahead of enabling https for the site itself. (Also, we'd want CloudFlare using https to the origin as well as to the client, so a letsencrypt-issued cert is important as well as any CF configuration.)

As IllPUTitIN, happy to help if it'll…help. Umm

vBulletin 3 is…rather old, and likely more complex to plan and execute a smooth upgrade. As Bluetooth points out, there are probably problems with the latest versions, but https should make things considerably less of a problem, and the latest version possibly more so. There's a cost to upgrading, also. Their upgrading tool will then work for the current site, although with a big version jump it's entirely likely that controls and such will move around and confuse everyone; so not to be done without some planning.
ancipiter is offline   Reply With Quote
Old 01-06-2017, 05:55 PM   #10
Locked Puppy
getDare Devil
 
Locked Puppy's Avatar
 
Join Date: Jun 2013
Location: in a cage (Leipzig, Saxony, Germany)
Posts: 1,298
Blog Entries: 11
Default

Yup, the ads might pose a problem, I haven't thought about those! But I hope the ad-network would provide a solution fo that, since more and more sites go to TLS/SSL. Of course this can be tested easily and run in parallel until all kinks have been worked out. (as for now, putting https in front of getdare.com just automatically brings you back to http, which speaks to a well configured server for that case)

concerning vBulletin, I have no solution for that, but that is a whole other matter. first and foremost, with all the governments literally snooping all traffic that leads out of their countries, transport encryption should be implemented. (again, for which I'd happily provide my time and resources)
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet
Unofficial getDare Minecraft-Server


likes - limits - toys -- pm dares

Randomly Locked in Chastity
(locked or not: no orgasms for this pup)

kik: LockedPuppy
Locked Puppy is offline   Reply With Quote
Old 03-16-2017, 04:50 PM   #11
Fiona
Distinguished Member
 
Fiona's Avatar
 
Join Date: May 2016
Location: Central Europe
Posts: 604
Blog Entries: 9
Default

I agree that this is bad. I am visiting this site via TOR using a very-high-entropy password that I don't use anywhere else (passwordsafes ftw!), So the worst thing that can happen to ME is that I loose access to my account because someone re-sends the hash, given that this sounds as if there is no protection against replay-attacks…

BUT: I am willing to bet one month of denial, that there are quite a few other users, for whom this is not the case. Hashing with MD5, while certainly not good, is IMO still a passing-grade (hashing with sha3 really wouldn't be any better).

What Is however really worrisome is all that extremely private stuff that could in some cases ruin peoples lives go over the wire unencrypted. If someone is able to correlate a certain account to a certain person this could be nasty and might not be as hard as you may think. Given the information that user X is a Y year old male student of subject Z in a certain medium-sized town can narrow down things A LOT.

So by all means: Please enable encryption or at least provide it as an option. It's not even that slow nowadays: If you can afford PHP, you can afford encryption. ;-)
__________________
Trans-Woman (pre-HRT)/early thirties/mostly lesbian

If you ever get the impression that I did sloppy work please send me a punishment.

Likes: Diapers, (Self-)Bondage, Chastity (but all my devices suck), Hidden public, Enemas, Anal

Strong Dislikes: Changing messy Diapers
Hates: line writing
Soft Limits: long term, chance of discovery, corner-time, messy, drinking baby formula

Hard Limits: extreme pain, full public, people I know, scat, illegal, permanent,
Fiona is offline   Reply With Quote
The following user says Thank You to Fiona for this post:
Old 03-16-2017, 04:55 PM   #12
Locked Puppy
getDare Devil
 
Locked Puppy's Avatar
 
Join Date: Jun 2013
Location: in a cage (Leipzig, Saxony, Germany)
Posts: 1,298
Blog Entries: 11
Default

It is a free option for current contracts with cloudflare. So in the worst case, it's a check box away.
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet
Unofficial getDare Minecraft-Server


likes - limits - toys -- pm dares

Randomly Locked in Chastity
(locked or not: no orgasms for this pup)

kik: LockedPuppy
Locked Puppy is offline   Reply With Quote
Old 03-21-2017, 12:39 AM   #13
Joe Kavalier
Member
 
Joe Kavalier's Avatar
 
Join Date: Sep 2014
Posts: 66
Nuclear vBulletin breaches

I don't understand why the site admins aren't on top of this. Do we need to message some of them individually?

Please note, the current version of vBulletin is 5. This site is running version 3. This is a post about a slew of sites using old versions of vBulletin which have been compromised over the past few years and which have come to light lately:

https://www.troyhunt.com/i-just-adde...-i-been-pwned/

GD is not on this list, but it's not exhaustive. HTTPS is important, and so is using a hosting service so we get patches automatically.

At this point, I think the correct assumption is that GD HAS been hacked and your account is not secure.
Joe Kavalier is offline   Reply With Quote
Old 07-05-2017, 04:01 AM   #14
Locked Puppy
getDare Devil
 
Locked Puppy's Avatar
 
Join Date: Jun 2013
Location: in a cage (Leipzig, Saxony, Germany)
Posts: 1,298
Blog Entries: 11
Default

Just wanting to put this back on the map. Anyone? I am still happy to help for free! I do get A+ ratings for my site's HTTPS implementation by SSL-labs.

The offer still stands.
__________________
(the puppy / it / it) - m - pan - germany
proud to be Simi's pet
Unofficial getDare Minecraft-Server


likes - limits - toys -- pm dares

Randomly Locked in Chastity
(locked or not: no orgasms for this pup)

kik: LockedPuppy
Locked Puppy is offline   Reply With Quote
Old 07-15-2017, 05:53 PM   #15
Makeshift
Junior Member
 
Join Date: May 2011
Posts: 3
Default

I'm not incredibly concerned about the password issues (though obviously they are a concern for people who use their accounts a bit more than me), but the fact we aren't running SSL on pages is both weird, bad, and bad for ad revenue.

Just a reminder to the admins - SSL is one of the deciding factors used by Google for working out your website rank. It's not hard to have and is definitely advisable. It also stops all your users from being tracked to every single page they go on.

Oddly, doing a quick SSL lookup shows that there is in fact a SSL cert for getdare: https://www.sslshopper.com/ssl-check...tdare.com/bbs/

But Chrome is reporting these pages as insecure.

If the website is to continue, I think it really does need a bit of a security spruce-up and some updates. I'm also willing to help as a security-centred web developer if you guys are interested.
Makeshift is offline   Reply With Quote
The following 2 users say Thank You to Makeshift for this post:
Reply

Tags
encryption, https, security, service, ssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 04:03 PM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc. - Also check out Kink Talk!reptilelaborer